Getting a Grip on Open Source Software Proliferation

As open source software penetrates ever deeper in to corporate America, a potential crisis looms. There are all sorts of licenses and therefore all sorts of rules for how different open source packages can be used. As a result, companies not only have to track the many pieces of software floating around in their organizations but also keep all the rules straight. It's relatively easy if they're using one thing - say Linux. But, beyond that, the headaches ensue. The way to head off trouble is to simplify licenses, pare down the number of licenses, and automate the tracking of software. Fortunately for corporations, open source mavens have been hard at work on all three.

Earlier this week, the Open Source Initiative, the governing body for open source licenses, launched an effort to pare down the number of actively used licenses by bestowing preferred status on a handful of the 50 licenses it has already approved. In addition, it's setting up a more selective system for screening new licenses.

At the same time, tech leaders are pushing to come up with licenses that are simpler and less restrictive. Sun Microsystems, for instance, has written its own, called the Common Development and Distribution License, that gives corporate users and software developers considerable latitude when they use the open source version of Sun's Solaris operating system. Here's Sun President Jonathan Schwartz' explanation of why they went that way.

The automated tracking stuff got its start on a beach in Cancun in 2002. Serial entrepreneur Doug Levin was "relaxing" on the beach by reading Martin Fink's The Business and Economics of Linux and Open Source. Even then, Fink, who is Hewlett Packard's vice president for Linux, foresaw the coming license-proliferation problem. Levin spotted a solution: products for detecting and managing open source packages. He ran off to his hotel room and pounded out 255 PowerPoint slides that laid the foundation for Black Duck Software.

Jump ahead to now. Black Duck just came out with its fourth product, an on-line service for managing open source software. It's based on the same technology as the company's flagship product, protexIP Development, which came out a year ago and which customers install on their own computers. The technology scans software packages to detect the presence of open-source software, determines its origins, tracks licensing requirements, and helps developers manage all the moving parts. To convince people they need his products, Levin asks them to hand over sample chunks of software, and he puts it to the test. "We almost always find something rude," says Levin.

Irony alert! Black Duck's products are mostly made with propriety software. For those who want a basic open-source detector and don't want to pay for, it try OSI founder Eric Raymond's Comparator.